Zoom, the increasingly popular video-call service, seems to be leaking data like a colander draining pasta. A new report says the email addresses and photos of Zoom users are up for the taking, which would let random strangers start video calls with anyone they please.
This news comes from Vice, which points to problems with a default Zoom setting that in many cases places everyone who uses the same email domain into a "company directory" and makes them all visible to each other.
- Zoom vs. Google Hangouts: Which video chat service is right for you?
- How to change your Zoom background
- Best Zoom alternatives
While many new Zoomers will likely not know about this setting — Zoom was primarily an enterprise tool before COVID-19 changed life as we know it — knowing about this one setting is the difference between getting your contact info and photos shared with strangers.
How to disable Zoom's Company Directory setting
To find the Company Directory setting to disable this feature, Zoom users with paid accounts should open https://zoom.us/account/im/setting. It's not available to free users.
Zoom tries to prevent problems with this feature by exempting the big webmail providers, as you can see in the fine print of Zoom's Managing Contacts help section:
By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who's [sic] email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.
You can also use this Zoom page to submit your email domain for exemption.
Why Zoom is leaking data
This nifty user-sorting idea runs into trouble when it encounters webmail domains that are not widely known. Vice talked to Barend Gehrels, a Zoom user who saw this issue flare up with the Dutch ISP domains xs4all.nl, dds.nl, and quicknet.nl.
Even though free users don't have access to Zoom's Company Directory setting, it's seemingly still affecting them.
That's according to twitter user @JJVLebon, who "registered with [a] private email." and then "got 1000 names, email addresses and even pictures of people in the company Directory." The user used the hashtag #GDPR to highlight the inherent privacy threat.
Hopefully, we will see Zoom change how this works, and soon. It's become the app that housebound people are using to communicate with others. Heck, I even used Zoom to take a yoga class online. And while you could write this off as a niche problem, it's something that you should have to opt into, not hurriedly opt out of.
Another Zoom no-no
Oh, and one more thing: don't share screenshots with your Zoom Meeting ID online. British Prime Minister Boris Johnson learned this lesson the hard way when he tweeted out the photo below but didn't crop out the 9-digit ID number used for Her Majesty's Cabinet meetings:
This morning I chaired the first ever digital Cabinet. Our message to the public is: stay at home, protect the NHS, save lives. #StayHomeSaveLives pic.twitter.com/pgeRc3FHIpMarch 31, 2020